Hi,
I have 20 Linux servers in the network. Is there a way to audit all Linux clients using a centralized server? For example, what commands are run by John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to track user activity. Which files have been modified or edited or commands etc...... by the users.
I have installed auditd, but it is local to the Linux server. Thanks in advance.
Best Regards,
Kaushal
A cut-and-paste from my Wiki:
-------------------%<------------------------
Remote logging
Auditing, particularly from compute nodes, may be centralised to reduce the number of files needed to get a view of the cluster. Server
The server machine must be configured to accept messages and must have a large enough logging area to store the records.
The server listens on port 60. Configure this as tcp_listen_port in /etc/audit/auditd.conf.
The server must only accept messages from a privileged port. If this is not done any userland process could inject nefarious messages. It is safe to configure the server to accept messages from any privileged port: tcp_client_ports=1-1023 in /etc/audit/auditd.conf.
On the server increase tcp_listen_queue to 16 to ensure enough requests for connections can be handled during a power-on bootup.
You will need to restart the daemon for these changes to come into effect.
Clients
The client machines may either forward messages at once or else batch them up in a queue. Generally machines with local storage should use the queue which preserves the log in the event of a crash.
You will need to restart the daemon for all these changes to come into effect: systemctl restart auditd.
Ensure the appropriate software and configuration is loaded: # yum install audisp-remote. /etc/audisp/audisp-remote.conf
The client needs to know where, and to which port to send messages. As mentioned above, the client must send from a privileged port.
remote_server=<server FQDN> port=60 local_port=61
On diskless clients set mode=immediate, on other clients set mode=forward. Accept the defaults for queue_file and queue_depth. /etc/audisp/plugins.d/au-remote.conf
By default the dispatcher is configured off, therefore remember to set
active=yes
to turn on the remote logging.
/etc/audit/auditd.conf
Once you are happy with the logging, turn off the local copy. For CentOS C7.3 and later machines use:
local_events = no log_format = RAW
------------------%<----------------------------
I have not tested this recently, it was last running (IIRC) on C6/7, so proceed with caution.
Regards, Martin
On 09/07/2021 08:08, Kaushal Shriyan wrote:
Hi,
I have 20 Linux servers in the network. Is there a way to audit all Linux clients using a centralized server? For example, what commands are run by John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to track user activity. Which files have been modified or edited or commands etc...... by the users.
I have installed auditd, but it is local to the Linux server. Thanks in advance.
Best Regards,
Kaushal _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Zitat von Kaushal Shriyan kaushalshriyan@gmail.com:
Hi,
I have 20 Linux servers in the network. Is there a way to audit all Linux clients using a centralized server? For example, what commands are run by John on Linuxnode1? Steve on Linuxnode15? and so on and so forth to track user activity. Which files have been modified or edited or commands etc...... by the users.
I have installed auditd, but it is local to the Linux server. Thanks in advance.
Hallo, what is about ansible for example. Ralf
This is what I remember about evil Microsoft............................... In 1992, Microsoft released Windows NT, and advertised it as the greatest operating system and began giving away free licenses to colleges and universities and hiring public relations firms to publish phony surveys and results to prove Windows NT was better than Novell NetWare or any other OS. Meanwhile, it took 4 years for Microsoft to finally install Windows NT at their HQ in Redmond, Washington. Why so long? Because they were successfully running Novell NetWare, the same NetWare that Microsoft was slowly destroying with FUD in the tech journals and media with phony surveys. Someone here said a leopard never changes his spots, KUDOS Sir! Microsoft is a cancer, a cancer to freedom, a cancer to innovation and always was, who didn't they destroy back in the 90's and early 2000's? They stole Word from WordPerfect, they stole Office from Borland, and Excel was plagiarized from Lotus 1-2-3. Microsoft deserves to be hacked and destroyed and is the epitome of the most evil and treacherous an American corporation can become................. I HATE MICROSOFT and so do many others who survived their FUD tactics from the 90's. Some of you weren't even born yet............... I know Gates and Ballmer and company all to well....long before the documentaries "Pirates Of Silicon Valley" and "Triumph Of The Nerds". Any efforts they make toward linux are for control and never for freedom or innovation. Control, power, greed are their only goals, always. WAKE UP!
On Fri, 2021-07-09 at 09:25 +0200, Ralf Prengel wrote:
Zitat von Kaushal Shriyan kaushalshriyan@gmail.com: Hi, I have 20 Linux servers in the network. Is there a way to audit all Linuxclients using a centralized server? For example, what commands are run byJohn on Linuxnode1? Steve on Linuxnode15? and so on and so forth totrack user activity. Which files have been modified or edited or commandsetc...... by the users. I have installed auditd, but it is local to the Linux server.Thanks in advance.
Hallo,what is about ansible for example.Ralf
_______________________________________________CentOS mailing listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
Before anyone mentions "charity" and Bill Gates foundation............ just remember how many good technology companies and software that Microsoft destroyed with FUD tactics in the 80's, 90's, and 2000's......... charity begins at home they say in America........... what about those few million employees who lost jobs, homes, cars, savings because Microsoft destroyed their companies? what about them? where was their charity? In America it's all too common to use treachery, dishonesty in business and politics to climb to the top, and destroy competition, and then pretend to give to charitable causes... pure hypocrisy........blatant hypocrisy I for one cannot be bought, never...... as a veteran and so many other things, I will never surrender to corporate bullying from anyone, including Amazon, I left AWS for similar reasons.......... I am proud to say I have not used a Windows OS since 1995............and still refuse to this day to allow any Microsoft devices attach to my SOHO networks... same for Apple and IBM and Oracle......... freedom is more than an idea, more than a principle, it is a lifestyle too!
On Fri, 2021-07-09 at 08:14 -0400, mario juliano grande-balletta wrote:
This is what I remember about evil Microsoft............................... In 1992, Microsoft released Windows NT, and advertised it as the greatest operating system and began giving away free licenses to colleges and universities and hiring public relations firms to publish phony surveys and results to prove Windows NT was better than Novell NetWare or any other OS. Meanwhile, it took 4 years for Microsoft to finally install Windows NT at their HQ in Redmond, Washington. Why so long? Because they were successfully running Novell NetWare, the same NetWare that Microsoft was slowly destroying with FUD in the tech journals and media with phony surveys. Someone here said a leopard never changes his spots, KUDOS Sir! Microsoft is a cancer, a cancer to freedom, a cancer to innovation and always was, who didn't they destroy back in the 90's and early 2000's? They stole Word from WordPerfect, they stole Office from Borland, and Excel was plagiarized from Lotus 1-2-3. Microsoft deserves to be hacked and destroyed and is the epitome of the most evil and treacherous an American corporation can become................. I HATE MICROSOFT and so do many others who survived their FUD tactics from the 90's. Some of you weren't even born yet............... I know Gates and Ballmer and company all to well....long before the documentaries "Pirates Of Silicon Valley" and "Triumph Of The Nerds". Any efforts they make toward linux are for control and never for freedom or innovation. Control, power, greed are their only goals, always. WAKE UP!
On Fri, 2021-07-09 at 09:25 +0200, Ralf Prengel wrote:
Zitat von Kaushal Shriyan kaushalshriyan@gmail.com: Hi, I have 20 Linux servers in the network. Is there a way to audit all Linuxclients using a centralized server? For example, what commands are run byJohn on Linuxnode1? Steve on Linuxnode15? and so on and so forth totrack user activity. Which files have been modified or edited or commandsetc...... by the users. I have installed auditd, but it is local to the Linux server.Thanks in advance.
Hallo,what is about ansible for example.Ralf
_______________________________________________CentOS mailing listCentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I don't think it is a problem limited to America. Greed exists worldwide.
On Fri, Jul 9, 2021 at 8:48 AM mario juliano grande-balletta < mario.balletta@gmail.com> wrote:
Before anyone mentions "charity" and Bill Gates foundation............ just remember how many good technology companies and software that Microsoft destroyed with FUD tactics in the 80's, 90's, and 2000's......... charity begins at home they say in America........... what about those few million employees who lost jobs, homes, cars, savings because Microsoft destroyed their companies? what about them? where was their charity? In America it's all too common to use treachery, dishonesty in business and politics to climb to the top, and destroy competition, and then pretend to give to charitable causes... pure hypocrisy........blatant hypocrisy I for one cannot be bought, never...... as a veteran and so many other things, I will never surrender to corporate bullying from anyone, including Amazon, I left AWS for similar reasons.......... I am proud to say I have not used a Windows OS since 1995............and still refuse to this day to allow any Microsoft devices attach to my SOHO networks... same for Apple and IBM and Oracle......... freedom is more than an idea, more than a principle, it is a lifestyle too!
On Fri, 2021-07-09 at 08:14 -0400, mario juliano grande-balletta wrote:
This is what I remember about evil Microsoft............................... In 1992, Microsoft released Windows NT, and advertised it as the greatest operating system and began giving away free licenses to colleges and universities and hiring public relations firms to publish phony surveys and results to prove Windows NT was better than Novell NetWare or any other OS. Meanwhile, it took 4 years for Microsoft to finally install Windows NT at their HQ in Redmond, Washington. Why so long? Because they were successfully running Novell NetWare, the same NetWare that Microsoft was slowly destroying with FUD in the tech journals and media with phony surveys. Someone here said a leopard never changes his spots, KUDOS Sir! Microsoft is a cancer, a cancer to freedom, a cancer to innovation and always was, who didn't they destroy back in the 90's and early 2000's? They stole Word from WordPerfect, they stole Office from Borland, and Excel was plagiarized from Lotus 1-2-3. Microsoft deserves to be hacked and destroyed and is the epitome of the most evil and treacherous an American corporation can become................. I HATE MICROSOFT and so do many others who survived their FUD tactics from the 90's. Some of you weren't even born yet............... I know Gates and Ballmer and company all to well....long before the documentaries "Pirates Of Silicon Valley" and "Triumph Of The Nerds". Any efforts they make toward linux are for control and never for freedom or innovation. Control, power, greed are their only goals, always. WAKE UP!
On Fri, 2021-07-09 at 09:25 +0200, Ralf Prengel wrote:
Zitat von Kaushal Shriyan kaushalshriyan@gmail.com: Hi, I have 20 Linux servers in the network. Is there a way to audit all Linuxclients using a centralized server? For example, what commands are run byJohn on Linuxnode1? Steve on Linuxnode15? and so on and so forth totrack user activity. Which files have been modified or edited or commandsetc...... by the users. I have installed auditd, but it is local to the Linux server.Thanks in advance.
Hallo,what is about ansible for example.Ralf
_______________________________________________CentOS mailing listCentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Fri, 2021-07-09 at 08:47 -0400, mario juliano grande-balletta wrote:
Before anyone mentions "charity" and Bill Gates foundation............ just remember how many good technology companies and software that Microsoft destroyed with FUD tactics in the 80's, 90's, and 2000's......... charity begins at home they say in America........... what about those few million employees who lost jobs, homes, cars, savings because Microsoft destroyed their companies? what about them? where was their charity? In America it's all too common to use treachery, dishonesty in business and politics to climb to the top, and destroy competition, and then pretend to give to charitable causes... pure hypocrisy........blatant hypocrisy I for one cannot be bought, never...... as a veteran and so many other things, I will never surrender to corporate bullying from anyone, including Amazon, I left AWS for similar reasons.......... I am proud to say I have not used a Windows OS since 1995............and still refuse to this day to allow any Microsoft devices attach to my SOHO networks... same for Apple and IBM and Oracle......... freedom is more than an idea, more than a principle, it is a lifestyle too!
On Fri, 2021-07-09 at 08:14 -0400, mario juliano grande-balletta wrote:
This is what I remember about evil Microsoft............................... In 1992, Microsoft released Windows NT, and advertised it as the greatest operating system and began giving away free licenses to colleges and universities and hiring public relations firms to publish phony surveys and results to prove Windows NT was better than Novell NetWare or any other OS. Meanwhile, it took 4 years for Microsoft to finally install Windows NT at their HQ in Redmond, Washington. Why so long? Because they were successfully running Novell NetWare, the same NetWare that Microsoft was slowly destroying with FUD in the tech journals and media with phony surveys. Someone here said a leopard never changes his spots, KUDOS Sir! Microsoft is a cancer, a cancer to freedom, a cancer to innovation and always was, who didn't they destroy back in the 90's and early 2000's? They stole Word from WordPerfect, they stole Office from Borland, and Excel was plagiarized from Lotus 1-2-3. Microsoft deserves to be hacked and destroyed and is the epitome of the most evil and treacherous an American corporation can become................. I HATE MICROSOFT and so do many others who survived their FUD tactics from the 90's. Some of you weren't even born yet............... I know Gates and Ballmer and company all to well....long before the documentaries "Pirates Of Silicon Valley" and "Triumph Of The Nerds". Any efforts they make toward linux are for control and never for freedom or innovation. Control, power, greed are their only goals, always. WAKE UP!
On Fri, 2021-07-09 at 09:25 +0200, Ralf Prengel wrote:
Zitat von Kaushal Shriyan kaushalshriyan@gmail.com: Hi, I have 20 Linux servers in the network. Is there a way to audit all Linuxclients using a centralized server? For example, what commands are run byJohn on Linuxnode1? Steve on Linuxnode15? and so on and so forth totrack user activity. Which files have been modified or edited or commandsetc...... by the users. I have installed auditd, but it is local to the Linux server.Thanks in advance.
Hallo,what is about ansible for example.Ralf
_______________________________________________CentOS mailing listCentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Fri, 9 Jul 2021 at 08:14, mario juliano grande-balletta mario.balletta@gmail.com wrote:
This is what I remember about evil Microsoft............................... In 1992, Microsoft released Windows NT, and advertised it as the greatest operating system and began giving away free licenses to
This is drifting off of being anywhere on-topic for this list.
Apologies for being off topic.............hopefully I don't get censored. Not another word. I usually never post comments anyway. back to my cave
On Fri, 2021-07-09 at 09:18 -0400, Stephen John Smoogen wrote:
On Fri, 9 Jul 2021 at 08:14, mario juliano grande-balletta< mario.balletta@gmail.com> wrote:
This is what I remember about evilMicrosoft...............................In 1992, Microsoft released Windows NT, and advertised it as thegreatest operating system and began giving away free licenses to This is drifting off of being anywhere on-topic for this list.
On Fri, Jul 09, 2021 at 08:14:06AM -0400, mario juliano grande-balletta wrote:
WAKE UP!
<sarcasm>Whew, I needed a wake up call! I was falling asleep at my keyboard!</sarcasm>
In all seriousness, I think forwarding the audit logs works, and if you just want to track when users execute a program, you'll need to add an audit rule. I believe we had something like this in /etc/audit/rules.d/:
-a exit,always -F arch=b64 -F euid>1000 -S execve -a exit,always -F arch=b32 -F euid>1000 -S execve
This captured all execve() syscalls for users with an effective User ID greater than 1000 (so not to audit system processes).
We didn't actually send it to a remote auditd server, though, because it was so chatty and we had a lot of users and workstations. We had an Elasticsearch cluster and sent the audit logs directly with logstash and then Beaver (https://python-beaver.readthedocs.io/en/latest/) This was done because we had redundant ingesters and a cluster of ES servers so logs were less likely to be dropped.
Then we had some simple frontends for the ES cluster to make it so we could quickly bring up what processes a user ran on what system. (The kibana interface is nice but too complex for a super simple query like that.) Along with collecting OS statistics like load, memory use, etc., we could track what users ran and how much resources they used.
Of course, at this job, we dropped all that and switched to Crowdstrike Falcon, a commercial security tool that does largely the same thing but with a proprietary LSM.
-
Fred -
J Martin Rushton -
Jonathan Billings -
Kaushal Shriyan -
mario juliano grande-balletta -
Ralf Prengel -
Stephen John Smoogen